504897 : Guest account is possible sign of worm (Nimda)

Risk 5 :
Miscellaneous

There is evidence that the system has been penetrated by
an Internet worm. Files or system information may have
been transmitted to remote parties, unauthorized file
modifications may have taken place, and backdoors allowing
unauthorized access may be present. Furthermore, it is
likely that the system is being used as a potential launching
point for further propogation of the worm across the
network.

A worm
is a self-replicating program designed to spread across a
network without requiring any outside actions to take place.
The main difference between a worm and a virus is that a
virus relies on human actions, such as opening e-mail attachments or
sharing files, to copy itself from one computer to another,
whereas a worm is able to do so independently, allowing
it to spread much faster.

Nimda and Nimda.E worm

The Nimda worm, also known as the Concept Virus, is capable of spreading very fast because
it uses four separate exploits to propogate:

IIS vulnerabilities, including the Directory Traversal
vulnerability and backdoors left behind by the Code Red and
sadmin/IIS worms. Upon finding a vulnerable server, the worm
copies a file called Admin.dll to the server
using the TFTP protocol.
Automatic Execution of Embedded MIME types,
which causes an attachment called readme.exe
to automatically run when an e-mail message is opened. The
attachment is sent in an e-mail message which sometimes comes
from a spoofed address.
Infection of web pages with malicious JavaScript which
causes some browsers to automatically download and execute a file called
readme.eml, due to the same vulnerability as in
the item above. The worm appends the malicious JavaScript
code to all files ending in .html, .htm,
and .asp.
Copying itself using Open File Shares. The worm
copies a file called readme.eml to every writable directory,
including shared network drives where it can be run on other
systems.

In addition to the actions mentioned above which the worm
uses to propogate, it also does the following:

replaces many executable files on the system with Trojan Horse versions
which run the worm any time an infected file is run
positions itself in such a way that it is executed
whenever a document is opened
creates a backdoor on the system by enabling the guest
account and by sharing the C drive so that the entire drive
is readable and writable remotely

The Nimda.E worm is a variation of the Nimda worm. It has all
of the same characteristics as the Nimda worm, but the filenames it uses
have been changed to avoid detection by intrusion detection tools and
scanners.

The paragraphs below explain how to remove a worm
from an infected system. However, removal of the worm
does not solve the problem at its roots. The presence of
the worm is evidence that a critical vulnerability exists
on the host. The system should be taken offline until
it is certain that the vulnerable services are upgraded
to the latest, patched versions.